LinkedIn has turned to the FBI for help after 6.5 million of its users' passwords were dumped online by hackers.
The business network said "a small subset" of the hashed data had been deduced and revealed, but the rest is "hard to decode". Security biz Sophos estimated that as much as 60 per cent of the leaked list had been …

COMMENTS

lax security policies

Whilst linkedin were at least hashing passwords there are countless sites out there not performing this simple task.

Those sites are easy to spot, they're the ones that have limitations on their passwords. I just signed up to a t-mobile.co.uk account to manage my dongle the password must be less than 15 characters and contain no special characters. The only reason for this is that the field they are storing the string in doesn't allow more than 15 characters or special characters.

Maybe not targeted ...

Now is the ideal time to send out vast amounts of phishing spam with links to your "Linkedin" password change page. Even if you haven't even looked at the password leak yourself, you can skim passwords from people who've heard about the Linkedin security breach and gladly click on the proffered link to change their password.

Links in email?

I received a very phishy email this morning from LinkedIn Admin - apparently. It's well written but contains a number of shortlinks. Text of the email is below (I've subtly altered the links from the originals in case anybody feels like being suicidal and clicking them "just to see what happens"...')

You’ve probably read by now that yesterday was not a good day for LinkedIn or millions of its users: the company has confirmed that hackers stole and released more than 6 million encrypted LinkedIn passwords in a massive security breach of the business social networking site.

What do you need to do right away? If you have not already changed your LinkedIn password, then do it quickly - here’s how: http://read.bi/MeTrsv

If your LinkedIn account WAS compromised, you will see at your next log-in that it has been disabled. Take these steps next, as recommended by LinkedIn: http://bit.ly/NitaTg

Unfortunately, this week’s large-scale password theft is unlikely to be the last of its kind: cyber attacks lurk in places you'd least expect. But practicing good, preventive cyber hygiene can keep you safer. How can you be smarter and more secure while still being social?

Re: In front of their families.

Not much risk to security

So someone managed to get a big list of hashes, so what? Unless someone somewhere has the corresponding user ids there is no further risk to account security. All you could glean from the list is X number of people use password Y, not who those people were.

The biggest issue I see is that it suggests LinkedIn was not salting passwords and using a fast hash that facilitates dictionary attacks. Remedying these issues wouldn't stop hackers from thieving the list but it would make it far harder to figure out the plaintext for the password unless they could lay their hands on the salting algorithm at the same time.

Re: Not much risk to security

The vast increase in spam coming from LinkedIn over the last two days appears to indicate that at least some of the email addresses have been decrypted. Whether they've been linked with the passwords is anybody's guess...

Re: Not much risk to security

Except that some of us (me, for instance) have, far from seeing an _increase_ in spam on the throw-away account I used for LinkedIn, have seen a _decrease_ in spam: exactly two spam emails, one in Korean, and one which tried to sell me a new Dell XPS laptop. Given my opinion of Dell the Korean spam has a better chance of success; as I can't read what it's saying, not knowing Hangul, there's a chance that I might buy something from the people it advertises by accident. Dell would have to pay me before I got a Dell laptop. Actually, Dell would have to pay me a _lot_ before I'd get a Dell anything.

Did they get the Porsche dealer?

Cookie laws?

A law that makes storage of passwords in plaintext (at the very least!) illegal should be seriously considered. Or force websites to state their password encryption and storage procedures on registration/signin pages.

Should I change my password?

If only the encrypted passwords were leaked, not the corresponding email addresses, then I'm not sure I should change my password. What if my password hash wasn't leaked, but then I end up changing it to one that was?!

Re: Should I change my password?

I've seen it claimed that the published list is a deduped subset. It seems unlikely that the passwords were stored one place and the usernames/email addresses somewhere else with stronger protection, so assume that the hackers have a complete list of email/password tuples.

Also, as there's no word on *how* the data got out and now LinkedIn are asking the FBI for help it looks like the hackers may still have complete freedom to download fresh copies of the passwords whenever they want. So be prepared to change your password again after the hole is finally closed.

Re: Should I change my password?

You can

1) check it here using javascript, however this might be not very secure, who knows if your password is not being transmitted somewhere, or the javascript code is secure

2) you can get the 7z file from this yandex link (about 100mb). It will be more secure to decompress it and check all on your own. Easy when you have a POSIX environment like GNU/Linux or BSD (should be possible on Mac OS X) :

Re: "until they get around to finally salting those hashes"

"Therefore if your passwords are hashed but not salted, a hash can only be added at the point the user changes their password."

Not totally true. You can rehash the password any time you have the plain text version which can be done the next time the user logs in. Of course, if the passwords have been leaked you should be asking them to change it when they log in anyway!

Re: Call me confused

Re: Call me confused

Yes you are cornfused...

Hacking is a crime and hackers end up in prison for being in denial. There they get to befriend other people in denial. It's a wonderful brotherhood of stupidity gathered in one place for the benefit of society.

Re: Call me confused

People who care about keeping their private info private don't feel a lot of remorse for telling white lies on Facebook. Linked-In is supposed to be a career oriented website, including networking and looking for new jobs. White lies there are a bit more likely to get you into trouble, so the information is usually better. Of course if you aren't on Linked In, it's a bit like a Windows user worrying about a Mac virus.